August 4, 2020
Phishing, a type of social engineering, occurs when a third party attempts to obtain sensitive information via fraudulent electronic communication. Historically, this transpires through email or a text, but other communication apps can be used, such as WhatsApp, Instagram direct messages, and Facebook Messenger.
Sensitive information can include usernames, passwords, credit card information, social security numbers, and bank information.
In this article we’ll discuss phishing examples of today and how you can better prepare yourself against a phishing attack.
This article is part of our Definitive Guide to Phishing series:
Phishing results in 90% of all online data breaches, averaging $3.86 million in repercussions. And phishing isn’t slowing down. New phishing sites are created constantly with one report estimating the number of new sites at 1.5 million per month. And if you’ve been successfully attacked, it’s likely you were targeted at least once before the phishers were successful.
There are several types of phishing attacks, but six of them make the list for the most common. Read on to find out more about the most common phishing examples:
Phishing Example: Alert Scares An alert scare is an email sent to elicit a quick emotional response. It’s likely the email message will state that something needs to be done quickly in order to prevent a negative outcome such as account deactivation or closure, problems with your account, a missed payment, or incorrect billing information.
The email will direct the reader to a website that appears legitimate and ask for personal or business information such as a password, account number, credit card information, etc.
How to prevent an alert scare: If you receive an email or a phone call that sounds like an alert scare phishing attempt, do not click on any links and do not give any sensitive information over the phone. Type in the URL for the website you want to visit manually or from a bookmark in your browser. And if you’re on the phone, hang up and call the legitimate number you’ve used before. Do not assume that communication that comes to you is correct and that you must deliver sensitive information online or over the phone.
Look-a-like Websites (Cloned Sites) Cloned or look-a-like websites are exactly as you might suspect, websites meant to mimic a legitimate website or brand. The URL may be slightly different and include a number or a quick misspelling that isn’t easily spotted. This type of phishing attack is typically delivered via email or a messaging platform. When the reader clicks the link, the website looks familiar and inputting sensitive information feels and looks normal.
How to prevent falling for a look-a-like or cloned website: Avoid clicking on links in emails, but if you do click on a link from an email, always check the URL in your browser. Look for anything unfamiliar, an additional dash or underscore in the URL name, a number, a misspelling, etc. Back out of the site and visit the legitimate URL separately. Always check the URL for anything suspicious before you enter any sensitive information.
Tech Support Scams Tech support scams can come in several forms, but traditionally they are carried out under the guise of a cold call from a brand you use or are familiar with. A technician or customer support representative will call you, claim to be from a legitimate company, and alert you to a malware or cyber security issue on your computer or network.
The technician will likely add pressure to the situation, claiming it is time sensitive and you need to deliver information quickly in order to avoid any more damage. The technician may also attempt to install software, such as remote access, onto your computer, in order to “fix” the problem he/she has found. With access to your computer or the sensitive information collected, the phisher is able to install malware or steal information quickly and easily.
How to prevent falling for a tech support scam: Just as with alert scares and look-a-like websites, it’s important to vet any information or people when they claim they are legitimate. If you receive a phone call from a technician claiming that they’ve discovered a problem on your computer or network, hang up and dial the legitimate business phone number. A reputable brand would never call an individual or an employee at a business to deliver this message, they would use the typical communication network they use for all messages, likely email or a client portal.
SEO Trojans Search engine optimization poisoning, or SEO trojans, show up in typical search engine results. They utilize look-a-like or cloned website techniques, adjusting a small part of the URL, such as adding a dash or an underscore, a slight misspelling, etc., in order to trick users into thinking they are clicking on the correct site.
How to avoid an SEO trojan attack: When you search for a business name, the first result, outside of ad spaces, is likely the correct URL. But to be sure, always check the URL and look for anything out of place. To add extra caution, once you visit a legitimate site you can bookmark it in your browser so you can return directly there when you need to.
Wire Transfer Scams Similar to a tech support scam and an alert scare, a wire transfer scam could be delivered via email or phone, appear to be from a legitimate brand or business, and request, with urgency, that you wire funds to a specific location.
How to prevent a wire transfer scam: Check the sender information in the email and make sure it’s actually from the brand or business. If the scam comes via phone call, let them know you’ll be calling them from the number you have on file and hang up.
CEO Fraud CEO fraud occurs when a cyber criminal or phisher is able to mimic or impersonate an executive and trick other employees into executing a fund transfer or delivering sensitive information. The emails are similar to an alert scare, but they appear to be from a high-level executive from within the same company. The employees targeted are often in HR or accounting and have access to employee information and financial information for the business. The emails are meant to manipulate the employee into sending out money or giving out information that they wouldn’t otherwise send or deliver.
How to prevent CEO fraud: Always check the sender information on emails that appear to be from a high-level executive requesting an information or funds release. If possible, add a policy that requires two signatures for the delivery of any sensitive information, adding another layer between the attacker and the attacked employee.
Phishing is an effective method that cyber attackers use to gain your sensitive information. Be watchful and alert. Arm yourself and your team with the most up–to-date information so you can stay protected.
To learn more about phishing, check out the Definitive Guide to Phishing.
Written by: [Patrick Browns]